Failure impact analysis of network events

ABSTRACT

Failure impact analysis (or “impact analysis”) is a process that involves identifying effects of a network event that are may or will results from the network event. In one example, this disclosure describes a method that includes generating, by a control system managing a resource group, a resource graph that models resource and event dependencies between a plurality of resources within the resource group; detecting, by the control system, a first event affecting a first resource of the plurality of resources, wherein the first event is a network event; and identifying, by the control system and based on the dependencies modeled by the resource graph, a second resource that is expected to be affected by the first event.

CROSS REFERENCE

This application is a continuation application of and claims priority toU.S. patent application Ser. No. 16/946,994 filed on Jul. 14, 2020,which is hereby incorporated by reference herein in its entirety.

TECHNICAL FIELD

This disclosure relates to computer networks, and more particularly, tomanagement of network devices.

BACKGROUND

A computer network is a collection of interconnected computing devicesthat can exchange data and share resources. A variety of devices operateto facilitate communication between the computing devices. For example,a computer network may include routers, switches, gateways, firewalls,and a variety of other devices to provide and facilitate networkcommunication.

These network devices typically include mechanisms, such as managementinterfaces, for locally or remotely configuring the devices. Byinteracting with the management interface, a client can performconfiguration tasks as well as perform operational commands to collectand view operational data of the managed devices. For example, theclients may configure interface cards of the device, adjust parametersfor supported network protocols, specify physical components within thedevice, modify routing information maintained by a router, accesssoftware modules and other resources residing on the device, and performother configuration tasks. In addition, the clients may allow a user toview current operating parameters, system logs, information related tonetwork connectivity, network activity or other status information fromthe devices as well as view and react to event information received fromthe devices.

The explosion in the number of Internet of Things (IoT) and the need forlarge data centers to host cloud and web applications create a need formechanisms to effectively analyze, evaluate, and/or control complex,heterogeneous and distributed networks. Network systems tend to needdistributed and fast diagnosis solution techniques to analyze dependentevents. In complex networks, a breakdown in the underlying layer of thenetwork may cause a large number of higher layer services to fail, whichmay or may not be directly connected to the failing component.

SUMMARY

This disclosure describes techniques for determining an impact that anetwork event involving one resource in a network may have on otherresources in the network. In some examples, such techniques may involvederiving impact analysis rules based on model dependencies (e.g., bothresource and event dependencies). In some examples, an expert systemthat uses forward chaining principles may use the derived impactanalysis rules to determine predicted or expected impacts resulting froma network event. Identifying such impacts may involve generating logicalevents based on the rules, where such logical events may be caused bynetwork events or other logical events. In some cases, logical andnetwork events may be merged with corresponding logical or networkevents to facilitate efficient and/or intelligent processing of events.

In some examples, this disclosure describes operations performed by acontrol system in accordance with one or more aspects of thisdisclosure. In one specific example, this disclosure describes a methodcomprising detecting, by a control system, a first network eventaffecting a first resource of a plurality of resources on a network;generating, by the control system and based on dependencies among theplurality of resources, a logical event associated with a secondresource, wherein the second resource is expected to be affected by thefirst network event; detecting, by the control system and aftergenerating the logical event associated with the second resource, asecond network event affecting the second resource; and refraining, bythe control system, from processing the second network event.

In another example, this disclosure describes a system comprisingprocessing circuitry and a storage device, wherein the processingcircuitry has access to the storage device and is configured to: detecta first network event affecting a first resource of a plurality ofresources on a network; generate, based on dependencies among theplurality of resources, a logical event associated with a secondresource, wherein the second resource is expected to be affected by thefirst network event; detect, after generating the logical eventassociated with the second resource, a second network event affectingthe second resource; and refrain from processing the second networkevent.

In another example, this disclosure describes a computer-readablestorage medium comprising instructions that, when executed, configureprocessing circuitry of a computing system to preform operations asdescribed herein.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating an example network configured toperform failure impact analysis in accordance with one or more aspectsof the present disclosure.

FIG. 2 is a block diagram illustrating an example controller that may beused for failure impact analysis, in accordance with one or more aspectsof the present disclosure.

FIG. 3 is conceptual diagram illustrating components of an exampleprogrammable diagnosis model, in accordance with one or more aspects ofthe present disclosure.

FIG. 4 is a conceptual diagram illustrating example resource definitiongraphs, in accordance with one or more aspects of the presentdisclosure.

FIG. 5 is a conceptual diagram illustrating an example resourcedefinition graph, in accordance with one or more aspects of the presentdisclosure.

FIG. 6A through FIG. 6D are conceptual diagrams illustrating an exampleimpact analysis performed using an instance dependencies graph inaccordance with one or more aspects of the present disclosure.

FIG. 7 is a flow diagram illustrating operations performed by an examplecontroller in accordance with one or more aspects of the presentdisclosure.

DETAILED DESCRIPTION

Failure impact analysis (or “impact analysis”) is a process thatinvolves identifying effects of a network event that may or will resultfrom the network event. Failure impact analysis may enable earlydetection of a failure or other network event, and may also enableremedial actions to be taken sufficiently early so that effects of thenetwork event may be mitigated or avoided. Fault diagnosis (sometimesreferred to as “root cause analysis” or “RCA”) is closely related tofailure impact analysis. RCA is a process to identify the initiatingcondition or event that triggers a network component failure from a setof possible candidate events/conditions that are generated or presentwithin a discrete time window. RCA can be a critical task for operatorsto maintain a properly functioning network. A few possible techniquesthat may be used to perform both impact analysis and RCA include a modeltraversing technique and a dependency graph technique.

The model traversing technique uses object models to determine faultpropagation. The network is represented using various components andrelationships between the components. Based on this model representingthe network, fault dependencies can be inferred and used to identify theroot cause of an issue. Model traversing techniques do not specify faultdependencies directly, but instead, derive the fault dependencies fromthe model during run-time. These techniques are suitable for a networkthat changes frequently. However, by themselves, model traversingtechniques cannot deal with more complex fault propagation scenarios(e.g., model traversing techniques typically base fault propagation onan assumption that only one issue happens at a time, etc.).

The dependency graph technique uses a directed graph to modeldependencies between the object events. Nodes represent network elements(e.g., network devices and/or hosts). An edge from node A:event to nodeB:event indicates that the failures in node A can cause failures in nodeB. Dependency graphs are often used in networks with infrequent changes.In networks with frequent changes, the dependencies need to be updatedfrequently. Network complexity is on the increase, particularly in lightof the rapid increase in the number of connected devices, the relativelycomplex topology of distributed networks, and increasing internet ofthings (IoT) adoption. These factors also contribute to theheterogeneity of networks, due to the differences in device capabilitiesand configurations. For example, one network can be overlaid on top ofanother network. For example, virtual private networks (VPNs) areoverlaid on internet protocol (IP) networks that use it as a transportlayer. Network troubleshooters need a mechanism by which to correlatethe issues across layers with a generic model-driven solution that canbe applied to any network and service topology, that can supportnetworks with frequent changes, and that can support multiple concurrentfaults at a time.

Because networks are dynamic with respect to their structures andcomponents, adaptability of the correlation system to ongoing changes inthe network topology, component types and versions, and the servicesoffered may represent a technical improvement over existing impactanalysis or RCA technologies. Programmable diagnosis services, asdescribed herein, may provide scalability and response times that enablereliable impact analysis and RCA over dynamic, heterogenous networks.Such a programmable diagnosis model may enable network administrators toprogram the network and device resources including service resources,device resources, and resource dependencies therebetween. Additionally,a programmable diagnosis model may enable network administrators toprogram cause-and-effect relationships between resource events that mayoccur within the network. Such a model may also enable administrators toinitialize telemetry rules, either with device resource properties inthe case of device resources, or via service association inheritance inthe case of service-associated device resources. Based on a modelprogrammed in this way, a controller operating within a network mayautomatically derive inference rules with respect to resource eventinterrelationships. The controller may occasionally, periodically, orcontinually update the inference rules, and implement the inferencerules to perform impact analysis or RCA-based forward chaining ofnetwork resource events. A programmable diagnosis model may also enableincorporation, into the model, of temporal relationships betweenresource events to perform impact analysis or RCA among potentiallyinterrelated events. The inference rules can be augmented with temporalconstraints to enable temporal-based impact analysis or RCA.

Techniques described herein may use element models, service models, andmulti-layer models. The element model accounts for network devices thatuses various resources (e.g., a packet forwarding engine (PFE), a linecard, interfaces, chassis, CPUs, etc.), captures the relationshipsbetween these resources, and captures dependencies between variousnetwork resource events. The service model accounts for services spreadacross the devices (e.g., layer-3 (L3) VPN/virtual private LAN services(VPLS), label-switched path (LSP) tunnels, etc.). The service modelcomprises various events captured at the service level. The servicemodel captures (i) service and service endpoint associations, (ii)connectivity link (path) between various endpoint (e.g., a VPN servicewith endpoints Node A, B, C contains a tunnel between Node A and Node Band a tunnel between Node A and Node C, etc.), (iii) dependencies acrossservice events, (iv) dependencies across the endpoint events, and (v)dependency between device event to service event. Networks are typicallylayered, and as such, a broken link in an underlying layer or any otherproblem in the lower layer services cause many higher layer services tofail, even when these services are not directly connected to the failingcomponents. The multi-layer model can capture (i) service to servicedependencies, (ii) service link to service link dependencies, and (iii)dependencies across service events.

Aspects of underlying element and service models are described in U.S.patent application Ser. No. 16/731,372, filed Dec. 31, 2019 entitled“Network Model Aware Diagnosis Of A Network,” the entire content ofwhich is incorporated herein. Techniques described herein may also use aprogrammable diagnosis service, such as that described in U.S. patentapplication Ser. No. 16/821,745, filed Mar. 17, 2020 entitled“Programmable Diagnosis Model For Correlation Of Network Events,” theentire content of which is incorporated herein by reference

Modern data centers and/or networks are often evaluated, compared, anddistinguished by reliability and service levels. In some cases, for datacenters that provide networking and compute services for hire, datacenter customers tend to expect service level agreements (“SLAs”) thatobligate or guarantee data center performance for end-to-end services.Accordingly, dealing with failures or other events that may affectnetwork performance and service SLAs can be important. Metrics such asMean Time between Failures (MTBF) and Mean Time to Repair (MTTR) aresometimes used as the basis for SLAs. For data center providers bound bysuch SLAs, reacting quickly and accurately when detecting a failure of anetwork resource is particularly important.

Networks tend to be dynamic with respect to their structures andcomponents. An impact analysis or RCA system that can adapt to changesin network topology, component types and versions, services offered, andother aspects of a network is advantageous. One way to enable suchadaptability is for a diagnosis service to be programmable. In somecases, such a programmable diagnosis service may enable an administratorto define resources, resource dependencies, and/or cause and effectrelationships across those resources. When such attributes of a networkare defined, it may be possible for an inference engine or other systemto derive inference rules that can be used for performing impactanalysis and/or RCA.

A failure impact analysis system, in various examples described herein,may derive failure impact analysis rules based on model dependencies,where such dependencies could include both resource and eventdependencies. In some examples, a forward chaining-based expert systemapproach may be based on such failure impact analysis rules. In someexamples, such failure impact analysis rules may be derived based onresource dependences as described herein. Along with inferred impactevents (e.g., “logical events”), one or more corresponding actual or“real” events (“network events”) also may be generated. A failure impactanalysis system should deal with such a situation effectively, such asby updating the actual event and/or correctly representing the actualnetwork event.

FIG. 1 is a block diagram illustrating an example network configured toperform failure impact analysis in accordance with one or more aspectsof the present disclosure. Network 102 includes network devices,components, or elements that may be managed using a control system orcontroller device, such as controller 110. In some examples, network 102may be an enterprise network operated or managed by an enterprise orother organization. Managed elements 114A-114G (collectively, “elements114”) of network 102 include network devices interconnected viacommunication links to form a communication topology enabling theexchange of resources and information. Elements 114 may be organizedinto one or more resource groups, and may include, for example, routers,switches, gateways, bridges, hubs, servers, firewalls or other intrusiondetection systems (IDS) or intrusion prevention systems, computingdevices, computing terminals, printers, other network devices, or acombination of such devices. While described in this disclosure astransmitting, conveying, or otherwise supporting packets, network 102may transmit data according to any other discrete data unit defined byany other protocol, such as a cell defined by the Asynchronous TransferMode (ATM) protocol, or a datagram defined by the User Datagram Protocol(UDP). Communication links interconnecting elements 114 may be physicallinks (e.g., optical, copper, and the like), wireless, or anycombination thereof.

Network 102 is shown coupled to a public network 118 (e.g., theinternet) via a communication link. Public network 118 may include, forexample, one or more client computing devices. Public network 118 mayprovide access to web servers, application servers, public databases,media servers, end-user devices, and other types of network resourcedevices and content.

Controller 110 may be communicatively coupled to elements 114 within oneor more resource groups via network 102. Controller 110, in someexamples, forms part of a device management system, although only onedevice of the device management system is shown for ease of illustrationin FIG. 1 . Controller 110 may be coupled either directly or indirectlyto the various elements 114. Once elements 114 are deployed andactivated, administrators 112 may use controller 110 (or multiple suchmanagement devices) to manage network devices using a device managementprotocol. One example device protocol is the Simple Network ManagementProtocol (SNMP) that allows controller 110 to traverse and modifymanagement information bases (MIBs) that store configuration data withineach of the managed elements 114. Further details of the SNMP protocolcan be found in Harrington et al., RFC 3411, “An Architecture forDescribing Simple Network Management Protocol (SNMP) ManagementFrameworks,” Network Working Group, the Internet Engineering Task Forcedraft, December 2002, available at tools.ietf.org/html/rfc3411, theentire contents of which are incorporated herein by reference.

In common practice, controller 110, also referred to as a networkmanagement system (NMS) or NMS device, and elements 114 are maintainedby an information technology (IT) group of the enterprise.Administrators 112 may interact with controller 110 to remotely monitorand configure elements 114. For example, administrators 112 may receivealerts from controller 110 regarding any of elements 114, viewconfiguration data of elements 114, modify the configurations data ofelements 114, add new network devices to network 102, remove existingnetwork devices from network 102, or otherwise manipulate network 102and network devices therein. Although described herein with respect toan enterprise network, the techniques of this disclosure are alsoapplicable to other network types, public and private, including LANs,VLANs, VPNs, and the like.

In some examples, administrators 112 use controller 110 or a localworkstation to interact directly with elements 114, e.g., throughtelnet, secure shell (SSH), or other such communication sessions. Thatis, elements 114 generally provide interfaces for direct interaction,such as command line interfaces (CLIs), web-based interfaces, graphicaluser interfaces (GUIs), or the like, by which a user can interact withthe devices to directly issue text-based commands. For example, theseinterfaces typically allow a user to interact directly with the device,e.g., through a telnet, secure shell (SSH), hypertext transfer protocol(HTTP), or other network session, to enter text in accordance with adefined syntax to submit commands to the managed element. In someexamples, the user initiates an SSH session 115 with one of elements114, e.g., element 14F, using controller 110, to directly configureelement 14F. In this manner, a user can provide commands in a format forexecution directly to elements 114.

Further, administrators 112 can also create scripts that can besubmitted by controller 110 to any or all of elements 114. For example,in addition to a CLI interface, elements 114 may also provide interfacesfor receiving scripts that specify the commands in accordance with ascripting language. In a sense, the scripts may be output by controller110 to automatically invoke corresponding remote procedure calls (RPCs)on the managed elements 114. The scripts may conform to, e.g.,extensible markup language (XML) or another data description language.

Administrators 112 use controller 110 to configure elements 114 tospecify certain operational characteristics that further the objectivesof administrators 112. For example, administrators 112 may specify foran element 114 a particular operational policy regarding security,device accessibility, traffic engineering, quality of service (QoS),network address translation (NAT), packet filtering, packet forwarding,rate limiting, or other policies. Controller 110 uses one or morenetwork management protocols designed for management of configurationdata within the managed network elements 114, such as the SNMP protocolor the Network Configuration Protocol (NETCONF) protocol, or aderivative thereof, such as the Juniper Device Management Interface, toperform the configuration. Controller 110 may establish NETCONF sessionswith one or more of elements 114.

Controller 110 may be configured to compare a new intent data model toan existing (or old) intent data model, determine differences betweenthe new and existing intent data models, and apply the reactive mappersto the differences between the new and old intent data models. Inparticular, controller 110 determines whether the new data modelincludes any additional configuration parameters relative to the oldintent data model, as well as whether the new data model modifies oromits any configuration parameters that were included in the old intentdata model.

The intent data model may be a unified graph model, while the low-levelconfiguration data may be expressed in YANG, which is described in (i)Bjorklund, “YANG—A Data Modeling Language for the Network ConfigurationProtocol (NETCONF),” Internet Engineering Task Force, RFC 6020, October2010, available at tools.ietf.org/html/rfc6020, and (ii) Clemm et al.,“A YANG Data Model for Network Topologies,” Internet Engineering TaskForce, RFC 8345, March 2018, available at tools.ietf.org/html/rfc8345(sometimes referred to as “RFC 8345”). In some examples, the intent datamodel may be expressed in YAML Ain′t Markup Language (YAML). Controller110 may include various reactive mappers for translating the intent datamodel differences. These functions are configured to accept the intentdata model (which may be expressed as structured input parameters, e.g.,according to YANG or YAML). The functions are also configured to outputrespective sets of low-level device configuration data model changes,e.g., device configuration additions and removals. That is, y1=FIG.1(x), y2=FIG. 2(x), . . . yN=fN(x).

Controller 110 may use YANG modeling for intent data model and low-leveldevice configuration models. This data may contain relations across YANGentities, such as list items and containers. As discussed in greaterdetail herein, controller 110 may convert a YANG data model into a graphdata model, and convert YANG validations into data validations.Techniques for managing network devices using a graph model for highlevel configuration data are described in “Configuring And ManagingNetwork Devices Using Program Overlay On Yang-Based Graph Database,”U.S. patent application Ser. No. 15/462,465, filed on 17 Mar. 2017, theentire content of which is incorporated herein by reference.

Controller 110 may receive data from any of administrators 112, wherethe data represents create, update, and/or delete actions with respectto the unified intent data model. Controller 110 may be configured touse the same compilation logic for each of create, update, and delete asapplied to the graph model.

In general, controller 110 may use a hierarchical data model forintents, low-level data models, and resources. The hierarchical datamodel can be based on YANG or YAML. The hierarchical data model can berepresented as a graph, as discussed above. Modern systems havesupported intents to ease the management of networks. Intents aretypically declarative. To realize intents, controller 110 attempts toselect optimal resources to realize the declared intents.

In accordance with one or more aspects of this disclosure, controller110 performs failure impact analysis when one or more of the networkelements 114 exhibits a failure (e.g., packet loss, or other failure).To perform such an analysis, controller 110 uses a model of resourceinterdependencies and event type interdependencies. Controller 110 mayuse or implement an inference engine, which may be an expert systemand/or a finite state machine with a cycle consisting of three actionstates: match rules, select rules, and execute rules. Rules are appliedon a set of facts active in memory. A fact model captures network eventinformation.

In some examples, controller 110 and an associated inference engine (notshown in FIG. 1 ) recognizes two kinds of events: network events andlogical events. Network events may be real, actual events generated fromthe network, and logical events may be those events generated fromanother rule as result of another network event. In some examples,network events are generated by a device on a network that isexperiencing an operational condition or failure. In some examples,logical events are generated by controller 110.

An object definition for network and logical events may have thefollowing form:

  class Event {  string id;  string type;  boolean isLogical;  booleanisProcessed;  string context; }

An inference engine, as described herein, may operate using rulescreated with temporal constraints. Such temporal constraints orrelations may be important in handling the network events, since theyhelp correlate how events happen over time. Events may be relative toeach other and might be difficult to describe using a specifictimestamp. Temporal operators or attributes may include those indicatingan event is “before” and “after” another event.

Controller 110 may, based on a network resource event dependency model,generate the rules applied by the inference engine. In some examples,controller 110 may generate a rule template using parameters based onthe cause and effect dependencies defined in the network resource model.Controller 110 generates inference facts for the rule based on thecause-effect dependencies.

An object definition for an inference may include a cause and a list ofeffects, and may have the following form:

  class Inference { string cause; list<string> effects; }

To perform failure impact analysis, controller 110 may generate logicalevents which are dependent on the actual network events occurring in thenetwork. Such a process may include identifying, using an inferencerule, related resource instances which are dependent on the resourceinstance of an event, where that event may be an actual network eventreceived by controller 110. Such a process may also include controller110 identifying, for every dependent resource, related event types basedon a resource event dependency model. Controller 110 may use thisinformation to generate logical events.

Identifying related resources for an event may be performed using anetwork model. In some examples, information sufficient to identify suchrelated resources may be stored in a resource store or in a cache. Suchinformation may include a one-level dependency maintained for eachresource, and may have a form such as:

-   -   <resource_type>:<resource_instance_id>.

For example in one network model, a resource dependency chain may havethe form:

-   -   ge-0/0/1→lsp1→bng_svl_vpn    -   ge-0/0/1→lsp2→bng_ca_vpn

Where “ge-0/0/1” has a dependency of “lsp1,” and “lsp1” has a dependencyof “bng_svl_vpn.” Also, “ge-0/0/1” has an additional dependency of“lsp2,” and “lsp2” has a dependency of “bng_ca_vpn.”

A resource store or cache may maintain such information as follows:

Key Value INTERFACE:ge-0/0/1 LSP:lsp1, LSP:lsp2 LSP:lsp1 VPN:bng_svl_vpnLSP:lsp2 VPN:bng_ca_vpn

Identifying related event types may involve using a resource eventdependency model and using dependencies within the inference engine thatspecify a list of dependent events for every “cause event.” An objectdefinition of such a dependency object may have the form:

  class Dependency { string cause; string effect_resource_type; listeffects; }

For example, if the dependency model has the mapping shown below,controller 110 creates dependency facts illustrated in the table belowthe mapping:

-   -   INTERFACE:OPER_DOWN→VRF:DOWN    -   INTERFACE:OPER_DOWN→LSP:STATUS_DOWN    -   LSP:STATUS_DOWN→VPN:STATUS_DOWN

Cause Effect Resource Type Effects INTERFACE: VRF VRF:DOWN OPER_DOWNINTERFACE: LSP LSP: OPER_DOWN STATUS_DOWN, LSP: HIGH_LATENCY LSP: VPNVPN: STATUS_DOWN, STATUS_DOWN

Controller 110 uses information having the form illustrated in the tableabove (e.g., stored in a resource store or cache) to find the relatedevents for a given dependent resource.

Once controller 110 has identified both related resources for an event,and has identified related event types for that event, controller 110may generate logical events. Controller 110 may apply a forwardingchaining process that involves inferring unknown truths from known dataand moving forward using determined conditions and rules to find asolution. In some examples, this may involve merging the effects andcauses based on the generated inferences, persisting or storing an RCAtree (e.g., a graph of related events generated as part of the chainingprocess) in a database for further event analysis, and persisting orstoring a list of logical events present in the RCA tree, therebyenabling another system to perform further analysis on the actual impactor effects on network 102.

FIG. 2 is a block diagram illustrating an example controller or controlsystem that may be used for failure impact analysis, in accordance withone or more aspects of the present disclosure. In FIG. 2 , controlsystem, controller device, or controller 110 of FIG. 2 may correspond toor be an example of controller 110 of FIG. 1 . In the exampleillustrated in FIG. 2 , controller 110 includes control unit 202,network interface 204, and user interface 206. The network interface 204represents an example interface that can communicatively couplecontroller 110 to an external device, e.g., one of elements 114 of FIG.1 . The network interface 204 may represent a wireless and/or wiredinterface, e.g., an Ethernet® interface or a wireless radio configuredto communicate according to a wireless standard, such as one or more ofthe IEEE 802.11 wireless networking protocols (such as 802.11 a/b/g/n orother such wireless protocols). Controller 110 may include multiplenetwork interfaces in various examples, although only one networkinterface is illustrated in the non-limiting example of FIG. 2 .

Control unit 202 represents any combination of hardware, hardwareimplementing software, and/or firmware for implementing thefunctionality attributed to the control unit 202 and its constituentmodules and elements. When control unit 202 incorporates software orfirmware, control unit 202 further includes any necessary hardware forstoring and executing the software or firmware, such as one or moreprocessors or processing units. In general, a processing unit mayinclude one or more microprocessors, digital signal processors (DSPs),application specific integrated circuits (ASICs), field programmablegate arrays (FPGAs), fixed function circuitry, programmable processingcircuitry, or any other equivalent integrated or discrete logiccircuitry, as well as any combinations of such components. A processingunit is generally implemented using fixed and/or programmable logiccircuitry.

User interface 206 represents one or more interfaces by which a user,such as administrators 112 of FIG. 1 , interacts with controller 110,e.g., to provide input and receive output. For example, the userinterface 206 may represent one or more of a monitor, keyboard, mouse,touchscreen, touchpad, trackpad, speakers, camera, microphone, or thelike. Furthermore, although in this example controller 110 includes auser interface 206, administrators 112 need not directly interact withcontroller 110, but instead may access controller 110 remotely, e.g.,via the network interface 204.

Functionality of the control unit 202 may be implemented as one or moreprocessing units in fixed or programmable digital logic circuitry. Suchdigital logic circuitry may include one or more microprocessors, digitalsignal processors (DSPs), application specific integrated circuits(ASICs), fixed function circuitry, programmable logic circuitry, fieldprogrammable gate arrays (FPGAs), or any other equivalent integrated ordiscrete logic circuitry, as well as any combination of such components.When implemented as programmable logic circuitry, the control unit 202may further include one or more computer readable storage media storinghardware or firmware instructions to be executed by processing unit(s)of control unit 202.

In this example, control unit 202 includes a user interface module 208,network interface module 210, and management module 212. Control unit202 executes user interface module 208 to receive input from and/orprovide output via user interface 206. Control unit 202 also executesnetwork interface module 210 to send and receive data (e.g., inpacketized form) via network interface 204. The user interface module208, the network interface module 210, and the management module 212 mayagain be implemented as respective hardware units, or in software orfirmware implemented by appropriate hardware infrastructure, or acombination thereof.

The control unit 202 executes a management module 212 to manage variousnetwork devices, e.g., elements 114 of FIG. 1 . Management includes, forexample, configuring the network devices according to instructionsreceived from a user (e.g., administrators 112 of FIG. 1 ) and providingthe user with the ability to submit instructions to configure thenetwork devices. The management module 212 accesses various databases,such as a configuration database 214, a model database 216, an inferencedatabase 218 and a telemetry database 220, that store data to assist inmanaging the various network devices. While the databases 214-220 areillustrated as separate databases, one or more of these databases214-220 may be combined or otherwise rearranged. In this example, themanagement module 212 further includes a configuration module 222 anddiagnosis service 224. In some examples, diagnosis service 224 may beprogrammable and/or configurable by a user and/or administrators 112.Further details relating to such a programmable diagnosis service areavailable in U.S. Provisional patent application Ser. No. 16/821,745,filed Mar. 17, 2020 entitled “Programmable Diagnosis Model ForCorrelation Of Network Events,” the entire content of which isincorporated herein by reference.

The management module 212 is configured to receive intentunified-graph-modeled configuration data for a set of managed networkdevices from a user, such as administrators 112. Such intentunified-graph-modeled configuration data may be referred to as an“intent data model.” Over time, the user may update the configurationdata, e.g., to add new services, remove existing services, or modifyexisting services performed by the managed devices. The unified intentdata model may be structured according to, e.g., YANG or YAML. The graphmodel may include a plurality of vertices connected by edges in ahierarchical fashion. In YANG, edges of graph models are representedthough “leafref” elements. In the case of YAML, such edges may berepresented with a “ref” edge. Similarly, parent-to-child vertexrelations can be represented with a “has” edge. For example, a vertexfor Element A refers to a vertex for Element B using a has-edge can beunderstood to mean, “Element A has Element B.”

The configuration database 214 generally includes information describingthe managed network devices, e.g., elements 114. The configurationdatabase 214 may include information indicating device identifiers (suchas Media Access Control (MAC) and/or Internet Protocol (IP) addresses),device type, device vendor, devices species (e.g., router, switch,bridge, hub, etc.), or the like. The configuration database 214 alsostores current configuration information (e.g., intent data model, or insome cases, both intent data model and low-level configurationinformation) for the managed devices (e.g., elements 114).

The model database 216 includes the models configured by a user, via theconfiguration module 222, that describe the structure of network 102. Asdescribed below, the model database 216 includes a network awarediagnosis model that is used by diagnosis service 224 to perform rootcause analysis to find the malfunctioning element 114 that is a sourceof an event even when the malfunction is not the direct/immediate resultof the event, but instead, a cascading downstream effect of the event.

Modules illustrated in FIG. 2 (e.g., user interface module 208,controller 110, configuration module 222, diagnosis service 224 and/orillustrated or described elsewhere in this disclosure may performoperations described using software, hardware, firmware, or a mixture ofhardware, software, and firmware residing in and/or executing at one ormore computing devices. For example, a computing device may execute oneor more of such modules with multiple processors or multiple devices. Acomputing device may execute one or more of such modules as a virtualmachine executing on underlying hardware. One or more of such modulesmay execute as one or more services of an operating system or computingplatform. One or more of such modules may execute as one or moreexecutable programs at an application layer of a computing platform. Inother examples, functionality provided by a module could be implementedby a dedicated hardware device.

Although certain modules, data stores, components, programs,executables, data items, functional units, and/or other items includedwithin one or more storage devices may be illustrated separately, one ormore of such items could be combined and operate as a single module,component, program, executable, data item, or functional unit. Forexample, one or more modules or data stores may be combined or partiallycombined so that they operate or provide functionality as a singlemodule. Further, one or more modules may interact with and/or operate inconjunction with one another so that, for example, one module acts as aservice or an extension of another module. Also, each module, datastore, component, program, executable, data item, functional unit, orother item illustrated within a storage device may include multiplecomponents, sub-components, modules, sub-modules, data stores, and/orother components or modules or data stores not illustrated.

Further, each module, data store, component, program, executable, dataitem, functional unit, or other item illustrated within a storage devicemay be implemented in various ways. For example, each module, datastore, component, program, executable, data item, functional unit, orother item illustrated within a storage device may be implemented as adownloadable or pre-installed application or “app.” In other examples,each module, data store, component, program, executable, data item,functional unit, or other item illustrated within a storage device maybe implemented as part of an operating system executed on a computingdevice.

FIG. 3 is a conceptual diagram illustrating components of an exampleprogrammable diagnosis model, in accordance with one or more aspects ofthe present disclosure. Programmable diagnosis model 300, which may beimplemented by a controller, such as controller 110, models the networkfrom multiple perspectives to be usable with networks with frequentlychanging topologies and support multiple concurrent faults at a time.Programmable diagnosis model 300 may be an example databasecorresponding to or included within model database 216 of FIG. 2 . Inthe illustrated example, programmable diagnosis model 300 includesnetwork resource model(s) 302, a diagnosis model 304, telemetry rules306, and temporal metadata 308. The network resource model(s) 302include service resource model(s) and device resource model(s), anddefine inter-resource dependencies. The telemetry rules 306 provide datathat that enables controller 110 to monitor the state of one or morecomponents in network 102. The telemetry rules 306 also enablecontroller 110 to generate or instigate alarms based on detectingthresholds configured in network 102. In some examples, the telemetryrules 306 may be included in a network resource model that also includesa network model (as described in U.S. patent application Ser. No.16/731,372) for network 102 and device model information for deviceelements of elements 114.

Diagnosis model 304 captures the cause and effect (sometimes referred toherein as “correlations”) relationship between various resources. Forexample, diagnosis model 304 may reflect cause-and-effect relationshipsacross events that occur over network 102. The cause and effectrelationships are defined between resources and resource alarms/events.When the cause and effect relationship is defined between resources, anycritical alarm/event on a resource causes an effect on “supportingresources.” When the cause and effect relationship is defined betweenresource alarms/events, an event on a resource causes an effect on a“supported resource” events.

Programmable diagnosis model 300 is used by diagnosis service 224 toperform forward-chained impact analysis and/or RCA in accordance withaspects of this disclosure. To aid in identifying the root cause of afault or other event while accommodating dynamic changes in the topologyof network 102, programmable diagnosis model 300 enables administratorsto update aspects of diagnosis model 304 by providing programming input310 via controller 110. Diagnosis service 224 uses programming input 310to construct a resource definition graph that models network resourcesand interdependencies therebetween. Based on the model constructed inthis way, diagnosis service 224 discovers the resources from network 102and builds the relations across the discovered resources.

Individual vertices of the resource definition graph include one or more“playbooks” (see FIG. 4 ) that define respective telemetry rule(s)enabling diagnosis service 224 to fetch state information from network102. The resource definition graph constructed by diagnosis service 224captures both network model and device model information, as well ascorresponding rules of the telemetry rules 306. The resource definitiongraph also includes diagnosis model 304, which provides cause and effectrelationship information across events detected within network 102. Agiven vertex of the resource definition graph (including resource modelinformation along with telemetry rule information) enables diagnosisservice 224 to discover network and device resource instances of eachobject that exist on network 102, to collect the data required to filland update the value of the object attributes, and to compute the actualvalue of the “state” attributes defined.

Programmable diagnosis model 300 also includes temporal metadata 308.Temporal metadata 308 includes information describing timing informationof events detected among elements 114 of network 102. Temporal metadata308 may include exact times, approximate times, or relative timesmeasured with respect to discrete events detected within network 102.Based on criteria provided in programming input 310 or based on othercriteria, diagnosis service 224 may apply the portions of temporalmetadata 308 to potentially interrelated events to perform RCA withrespect to a downstream event. In one example, the diagnosis service mayretain or eliminate an event as a possible upstream cause based onwhether or not the event occurred within a threshold time frame ofcausality with respect to the downstream event.

Using the combination of the network resource model(s) 302, diagnosismodel 304 formed or updated with programming input 310, telemetry rules306, and temporal metadata 308, diagnosis service 224 forms one or moreof the inference rules stored to inference database 218. In turn,diagnosis service 224 applies those inference rules of inferencedatabase 218 that are applicable to the particular event under impactanalysis or RCA to run programmable diagnosis model 300. The outputproduced by running programmable diagnosis model 300 is shown in FIG. 3as forward-chained RCA output (or impact analysis output) 312.

More specifically, diagnosis service 224 uses the programmed model (aversion of diagnosis model 304 formed using programming input 310) toautomatically derive the relevant inference rules of inference database218. In accordance with aspects of this disclosure, the inference rulesstored to inference database 218 may be subject to one or more temporalconstraints, which are described in greater detail below with respect tothe application of temporal metadata. Diagnosis service 224 applies thederived inference rules to identify the impact analysis or source of thefault under RCA. When performing RCA, inference engine 226 maintains theevent being analyzed in cache memory for a predetermined time interval,and generates an inference upon receiving a dependent event. Uponcorrelating the events, inference engine 226 may generate a smart eventwith an RCA tree and a root cause event to be output as part offorward-chained RCA output 312. In some examples, diagnosis service 224saves the forward-chained RCA output 312 to an analytics database whichmay be implemented locally at controller 110, at a remote location, orin a distributed manner.

FIG. 4 is a conceptual diagram illustrating example resource definitiongraphs, in accordance with one or more aspects of the presentdisclosure. In FIG. 4 , each of resource definition graphs 402A and 402B(collectively, “resource definition graphs 402”) models networkresources and dependencies between the resources of the respectiveresource definition graph. Each of resource definition graphs 402 is aconstruct that is formed by modifying programmable diagnosis model 300based on programming input 310. Each of resource definition graphs 402specifies a set of resource models which contain one or more attributes,and/or one or more state(s), and/or one or more links to other resourcemodels. Each of resource definition graphs 402 defines a set ofrelationships in a resource model that characterize a certain networkcontext, which can be any of a network domain, can be a network device,a network service, etc.

In the example of FIG. 4 , resource definition graph 402A is associatedwith playbooks 404A-A and 404A-B (collectively, “playbooks 404A”), andresource definition graph 402B is associated with playbooks 404B-A and404B-B (collectively, “playbooks 404B”). Each of playbooks 404 definesthose of telemetry rules 306 that enable diagnosis service 224 to fetchstate information from network 102. Each of resource definition graphs402 captures network model and device model information, as well as thecorresponding rules of telemetry rules 306.

FIG. 5 is a conceptual diagram illustrating an example resourcedefinition graph, in accordance with one or more aspects of the presentdisclosure. FIG. 5 illustrates resource definition graph 402A of FIG. 4. In the example shown, resource definition graph 402A is a staticgraph, in that resource definition graph 402A includes definitions ofobject types (and not individual instances of the objects) of network102. Resource definition graph 402A is also pluggable, in that itprovides scalability and support for the programmability to integratenew service models. In the example of FIG. 5 , resource definition graph402A defines relationships between various object models, namely, aphysical device (IFD 502), a logical device (IFL 504), and a maximumtransmission unit size supported by the interface (MTU) 506, an internetprotocol (IP) address 508, and a border gateway protocol (BGP) session512. The inter-object links shown within resource definition graph 402Amay include one or more unidirectional relationships and/or one or morebidirectional relationships.

Resource definition graph 402A captures network model information,device model information, and corresponding telemetry rules for theresources shown. Using the information available from resourcedefinition graph 402A, controller 110 may discover the various instancesof the objects described in resource definition graph 402A included in aparticular device group of network 102. Based on the causality linkbetween IFD 502 and IFL 504, controller 110 may determine that a faultoccurring at IFD 502 potentially affects the functioning of IFL 504.Based on the causality link, diagnosis service 224 may include IFD 502in the discovery process with respect to fault investigation for IFL504. In this way, diagnosis service 224 may obtain object properties andservice properties for the device group under discovery based on thecausality links included in resource definition graph 402A.

In examples in which IFD 502 has multiple interfaces, diagnosis service224 may run programmable diagnosis model 300 to derive an inference rulethat associates the particular interface of IFD 502 with the dependentevent (e.g., packet loss or other fault) occurring at IFL 504. Diagnosisservice 224 further tunes the inference rule using one or more temporalconstraints formed based on temporal metadata 308. If the faultdiscovered at IFL 504 fits the temporally compliant inference rule,diagnosis service 224 generates forward-chained RCA output to identifythe fault at IFD 502 as either the root cause or as an intermediatecause (which leads to the root cause) of the fault discovered at IFL504.

To obtain forward-chained RCA output 312, diagnosis service 224 may usediagnosis model 304 (formed or modified using programming input 310) toautomatically derive the relevant inference rules of inference database218. Again, diagnosis service 224 may derive the inference rules tocomport with temporal constraints for causality as derived from temporalmetadata 308. In turn, diagnosis service 224 uses the inference rulesstored to inference database 218 to identify the source of the detectedevent (e.g. fault). Inference engine 226 may maintain an event in cachestorage for a specified time interval and generate an inference when apotentially dependent (e.g., downstream effect) event arrives. Upongenerating an event correlation, diagnosis service 224 may generate a“smart event” or “logical event” with an RCA tree and an identified rootcause event. Diagnosis service 224 stores the smart event and theidentified root cause event to an analytics database that may beimplemented locally at controller 110, at a remote location, or in adistributed manner.

FIG. 6A through FIG. 6D are conceptual diagrams illustrating an exampleimpact analysis performed using an instance or resource groupdependencies graph in accordance with one or more aspects of the presentdisclosure. Each of FIG. 6A through FIG. 6D illustrate dependenciesgraph 700, which shows a resource group that has a number of layers ofresources, including slots 701A, 701B, 701C, and 701D (“slots 701”),each of which may be one of many port concentrators or modular portconcentrators associated with a network or network device. Alsoillustrated in each of FIG. 6A through FIG. 6D are PFE 702A through 702C(“PFEs 702”), Ethernet interface 703A through 703D (“interfaces 703”),label-switched path (LSP) 704A through 704C (“LSPs 704”), externalBorder Gateway Protocol (eBGP) service 705A through 705C (“eBGP services705”), virtual routing and forwarding instance (VRF) 706A through 706C(“VRFs 706”), and customer edge devices or latencies 707A through 707C(“customer edge latencies 707”). Although a limited number of slots 701,PFEs 702, interfaces 703, LSPs 704, VRFs 706, customer edge latencies707 are illustrated in FIG. 6A through FIG. 6D, techniques describedherein may apply to other networks with any number of such resources, orresources of other types.

Dependencies graph 700 of FIG. 6A may correspond to a dependency modelof a network, such as network 102 described in connection with FIG. 1 .Dependencies graph 700 illustrates dependencies across each set ofinstances, or across each layer (e.g., across slots 701 to PFEs 702).Any instance shown in dependencies graph 700 (e.g., any of PFEs 702,interfaces 703, LSPs 704, eBGP services 705, VRFs 706, and/or customeredge latencies 707) may experience a failure, malfunction, glitch, orother event that may impact the operation of a network. For instance,slot 701A and each of PFEs 702 have a dependency relationship, where anevent affecting slot 701A may affect each of PFEs 702. Similarly, anevent affecting PFE 702B may affect some or all of interfaces 703. Thedependencies illustrated by dependencies graph 700 may be used (e.g., bycontroller 110) to identify the impact or effects of an event thatoccurs with respect to any of the instances illustrated in FIG. 6Athrough FIG. 6D.

FIG. 6A through FIG. 6D are described herein with reference to FIG. 1and FIG. 2 , and in particular, with reference to controller 110 of FIG.2 performing operations to carry out an impact analysis or failureimpact analysis for network 102 of FIG. 1 . To perform such an analysis,controller 110 may receive information about an event occurring withinnetwork 102, and may determine or predict the effect of such an event onother devices, services, instances, or other elements of network 102. Insome examples, controller 110 may, based on such determined or predictedeffects, identify actions or corrective actions that may be taken toreduce or eliminate any negative effects that may result from theoriginal event. Controller 110 may take action, or cause another systemto take action, to address such effects. Accordingly, if controller 110is able to accurately determine or predict the effects of an eventbefore some or all of the effects of an event actually occur, controller110 may be able to circumvent problems with network 102. Therefore,effective use of failure impact analysis may generally improve theoperation of network 102, at least by maintaining effective andefficient operation of network 102 more consistently.

In FIG. 6A, and in accordance with one or more aspects of the presentdisclosure, controller 110 may initiate an impact analysis for an eventoccurring within a resource group of network 102. For instance, in anexample that can be described with reference to FIG. 1 , FIG. 2 , andFIG. 6A, a network device, such as PFE 702B, experiences an operationalevent or failure. PFE 702B generates PFE network event 712B representingthe operational event or failure experienced by PFE 702B (see elementlabeled “712B” adjacent to PFE 702B in FIG. 6A). PFE 702B communicatesPFE network event 712B to controller 110. Network interface 204 ofcontroller 110 detects PFE network event 712B and communicatesinformation about PFE network event 712B through controller 110 and tomanagement module 212. Diagnosis service 224 of management module 212determines that the information PFE network event 712B indicates thatPFE 702B has experienced a failure. Diagnosis service 224 initiates animpact analysis for PFE network event 712B to determine what the effecton the failure of PFE 702B might be on network 102.

Controller 110 may fetch resource instances that are dependent upon PFE702B. For instance, continuing with the example being described withreference to FIG. 1 , FIG. 2 , and FIG. 6A, diagnosis service 224accesses model database 216 to fetch information about resources relatedto PFE 702B. Diagnosis service 224 receives, from model database 216,information about dependent resources of PFE 702B based on a networkmodel, such as dependencies graph 700 of FIG. 6A. In some examples, someor all of model database 216 may be implemented as a cache (e.g.,similar to temporal metadata 308) to enable dependent resourceinformation to be retrieved quickly. In such an example, diagnosisservice 224 may fetch such resource dependency information by making afunction call, which may have the form:

  Function String fetchDependentResourceIds(String  resourceId)  {. Return cache.get(resource).  }

Dependent resource information may be maintained using a one-leveldependency model, where each instance (e.g., PFE 702B) is represented asa key with one or more values that represent dependent resources. In theexample of FIG. 6A, each of interfaces 703A, 703B, 703C, and 703D have adependency relationship with PFE 702B. Accordingly, diagnosis service224 determines, based on the information received from model database216 (or a cache), that each of interfaces 703 are related to ordependent upon PFE 702B.

Controller 110 may fetch related event types based on a resource eventdependency model. For instance, still referring to the example beingdescribed with reference to FIG. 1 , FIG. 2 , and FIG. 6A, diagnosisservice 224 of controller 110 accesses a resource event dependency modelincluded within model database 216 to fetch information about dependentevents associated with a given cause event. Such a model may include adependency object that has fields that include a cause, an effectresource type, and a list of effects. For any given cause, such a modelidentifies an affected resource type and a list of effects on thatresource type. Therefore, if diagnosis service 224 provides an input(e.g., PFE network event 712B) to model database 216, where that inputspecifies a cause (e.g., PFE 702B has failed), model database 216 mayrespond by identifying a list of “effect resource types,” and for eacheffect resource type, model database 216 may further provide informationabout the list of effects that are expected or predicted to result fromthat PFE network event 712B.

Controller 110 may generate logical events (interface logical events723A, 723B, 723C, and 723D) that are triggered by PFE network event712B. For instance, referring again to the example being described withreference to FIG. 1 , FIG. 2 , and FIG. 6A, diagnosis service 224 ofcontroller 110 generates one or more inferred events that are used toidentify a network or actual event that is expected to occur as a resultof a particular cause. In some examples, diagnosis service 224 maygenerate such a logical event for each effect resource type receivedfrom model database 216. FIG. 6A illustrates such interface logicalevents 723A, 723B, 723C, and 723D using a dotted line notation forevents 723A, 723B, 723C, and 723D, indicating that such events are notactual events generated by respective interfaces 703, but rather, areinferred, predicted, or logical events generated by diagnosis service224 of controller 110.

Each logical event generated by diagnosis service 224 may include anidentifier field, an event type flag, an “is logical” flag, an “isprocessed” flag, and a context identifier. For each logical event,diagnosis service 224 uses the effect resource instance identifier andthe effect event type to generate the identifier field for each logicalevent. For each logical event, diagnosis service 224 uses the effectevent type to generate the event type field. For each logical event,diagnosis service 224 sets the “is logical” flag to true to indicatethat the event is a logical event (as opposed to a network event). Foreach logical event, diagnosis service 224 sets the “is processed” flagto true to indicate that the event has been processed. For each logicalevent, diagnosis service 224 initializes the context field using thecause network event identifier.

In some examples, diagnosis service 224 outputs interface logical events723A, 723B, 723C, and 723D to user interface module 208 to inform one ormore administrators 112 about potential impacts of the failure at PFE702B. Diagnosis service 224 may also output information about interfacelogical events 723A, 723B, 723C, and 723D to another system to enablecorrective action(s) to be taken to eliminate or mitigate potentiallynegative impacts on network 102.

In some examples, diagnosis 224 generates each logical event if theevent does not already exist. For example, in some cases, acorresponding event might already exist if an actual network eventoccurred before diagnosis service 224 could generate the logical event.In other examples, a corresponding event might already exist if alogical event had been previously generated as a result of processinganother event. If the event already exists, diagnosis service 224generates a logical event with the “is logical” flag set to false andthe inference gets triggered. One way to handle a logical eventgenerated after receiving a corresponding (“equivalent”) network eventis to merge the logical event with the network event, as furtherdescribed herein.

The following pseudocode illustrates a rule that can be used forgenerating logical events:

  query checkEventExists(string eventId)  $existing_event  :  Event( id== eventId ) end rule ‘Logical event generation rule’ when $network_event = Event(isProcessed==false)  $cause_event_type =  $network_event.getId( ) .split(“:”) [1] $network_event.setisProcessed(true)  $dependent_resource_ids =  fetchDependentResourceIds(network_event.getId( )) dependent_resource_id : string( ) from   $dependent_ resource_ids $effect_resource_type =   dependent_resource_id.split(“:”) [0] $effect_event: Dependency(cause==$cause_event_type   andeffect_resource_type ==  $effect_resource_type) .getEffects( ) checkEventExists(dependent_resource_id+$effect_event) then  if$existing_event != null:  Event $logical_event = Event( ); $logical_event.setId(dependent_resource_id+$effect_event) $logical_event.setType($effect_resource_type) $logical_event.setisProcessed(false)  $logical_event.setisLogical(true) $logical_event.setContext($network_event.getContext( )) end

FIG. 6B illustrates that generating each of interface logical events723B, 723C, and 723D may cause further logical events to be generated.For instance, continuing with the example being described but now withreference to FIG. 6B, diagnosis service 224 generates interface logicalevent 723B as described above. Diagnosis service 224 of controller 110analyzes interface logical event 723B and determines that interfacelogical event 723B is associated with interface 703B. Diagnosis service224 accesses model database 216 to retrieve information about resourcesrelated to interface 703B. Diagnosis service 224 receives, from modeldatabase 216, information identifying LSPs 704A, 704B, and 704C as beingrelated to or dependent upon interface 703B, as illustrated in FIG. 6B.At the same time, concurrently, or at a different time, diagnosisservice 224 also accesses a resource event dependency model includedwithin model database 216 to fetch information about dependent eventsassociated with interface logical event 723B. Diagnosis service 224determines, based on the dependent event information, that interfacelogical event 723B has an effect resource type and effects associatedwith each of LSPs 704A, 704B, and 704C. Diagnosis service 224 generates,based on a forward chaining analysis and the information from modeldatabase 216, new LSP logical events 724A, 724B, and 724C, indicatingthat interface logical event 723B is a cause having effects representedby LSP logical events 724A, 724B, and 724C.

FIG. 6C illustrates that interface logical event 723C generatesinterface logical events associated with VRF 706C and eBGP service 705A,and also that interface logical event 723D generates interface logicalevents associated with nVRF 706C and eBGP service 705B. For instance,again with reference to the example being described and now withreference to FIG. 2 and FIG. 6C, diagnosis service 224 analyzesinterface logical event 723C and determines that interface logical event723C is associated with interface 703C. Diagnosis service 224 accessesmodel database 216 for information about resources related to interface703C and also for information about event dependencies associated withinterface logical event 723C. Diagnosis service 224 generates, based onthe forward chaining analysis and the information from model database216, new VRF logical event 726C and new eBGP logical event 725A.

Similarly, diagnosis service 224 analyzes interface logical event 723Dand determines that interface logical event 723D is associated withinterface 703D. Diagnosis service 224 accesses model database 216 forinformation about resources related to interface 703D and also forinformation about event dependencies associated with interface logicalevent 723D. Diagnosis service 224 generates, based on the forwardchaining analysis and the model information from model database 216, newVRF logical event 726C and new eBGP logical event 725A. In someexamples, diagnosis service 224 may determine that VRF logical event726C has already been generated as a result of processing interfacelogical event 723C. In such an example, diagnosis service 224 might notgenerate an additional VRF logical event 726C, or if generated, thelater-generated VRF logical event 726C may be merged with thecorresponding VRF logical event 726C generated as a result of interfacelogical event 723C. Handling potentially duplicate logical events insuch a manner may prevent duplicative processing by controller 110 ordiagnosis service 224.

FIG. 6D illustrates that VRF logical event 726C causes CE logical events727A, 727B, and 727C. For instance, continuing with the example beingdescribed and now with reference to FIG. 2 and FIG. 6D, diagnosisservice 224 analyzes VRF logical event 726C and determines that VRFlogical event 726C is associated with VRF 706C. Diagnosis service 224accesses model database 216 to fetch information about resources relatedto VRF 706C and event dependencies associated with VRF logical event726C. Diagnosis service 224 generates, based on the information frommodel database 216, CE logical events 727A, 727B, and 727C.

In general, events associated with a network tend to benear-instantaneous and immutable. However, in at least some examplesdescribed herein, such events might not be near-instantaneous, and mightnot be immutable. In some cases, particularly for network eventsgenerated after a corresponding logical event has been processed, eventsmight be modified or merged with another event (e.g., the later networkevent might be merged with the corresponding earlier logical event).Similarly, for logical events that are generated after a correspondingactual network event (or after a corresponding logical event caused byanother logical event), such later-generated events might be modified ormerged with another (e.g., earlier) event. Modifying such an event mayhelp ensure that little or no inefficient, duplicative, or otherwiseunnecessary processing is performed as a result of redundant eventsbeing generated when performing a root cause analysis or a failureimpact analysis.

FIG. 6D illustrates an example of how one or more network events may begenerated after a corresponding earlier logical event is generated. Forinstance, in the example being described and with reference to FIG. 6D,eBGP service 705A may experience an operational event or failure aftereBGP logical event 725A has been generated by diagnosis service 224. Theoperational event or failure experienced by eBGP service 705A maytherefore be an actual effect of the original failure of PFE 702B. Insuch an example, eBGP service 705A generates eBGP network event 715A,representing the actual operational event or failure experienced by eBGPservice 705A. EBGP service 705A communicates eBGP network event 715A tocontroller 110. Network interface 204 of controller 110 detects eBGPnetwork event 715A and communicates information about eBGP network event715A through controller 110 and to management module 212. Diagnosisservice 224 of management module 212 determines that the informationeBGP network event 715A indicates that eBGP service 705A has experienceda failure. Diagnosis service 224 may initiate an impact analysis foreBGP network event 715A. Diagnosis service 224 may determine that eBGPnetwork event 715A is an effect of the failure PFE 702B. Diagnosisservice 224 may further determine that this event has already beenaddressed through previously-generated eBGP logical event 725A. In theexample being described, since the actual failure (represented by eBGPnetwork event 715A) occurs after controller 110 had processed eBGPlogical event 725A, controller 110 may have already addressed, or causedto be addressed, the effects of the failure of PFE 702B. Accordingly,diagnosis service 224 may merge eBGP network event 715A into eBGPlogical event 725A, thereby avoiding additional duplicative processingto address the effects of PFE network event 712B and eBGP network event715A.

FIG. 6D also illustrates that one or more logical events may begenerated after corresponding actual network events are generated. Forinstance, again with reference to FIG. 6D, customer edge device 707C mayexperience an operational event or failure. In the example beingdescribed, the operational event or failure occurs very early, due tonetwork traffic or other circumstances, and even occurs prior to whendiagnosis service 224 generates CE logical event 727C. In such anexample, customer edge device 707C would cause CE network event 717C tobe generated and communicated to controller 110 prior to when diagnosisservice 224 generates CE logical event 727C. When diagnosis service 224of controller 110 later processes VRF logical event 726C and generatesCE logical event 727C, as described above, diagnosis service 224 woulddetermine that it had already processed CE network event 717C. In someexamples, diagnosis service 224 would then merge CE logical event 727Cinto previously-processed CE network event 717C, thereby avoidingadditional duplicative processing to address the effects of CE logicalevent 727C.

FIG. 7 is a flow diagram illustrating operations performed by an examplecontroller in accordance with one or more aspects of the presentdisclosure. FIG. 7 is described below within the context of controller110 of FIG. 1 and FIG. 2 . In other examples, operations described inFIG. 7 may be performed by one or more other components, modules,systems, or devices. Further, in other examples, operations described inconnection with FIG. 7 may be merged, performed in a differencesequence, omitted, or may encompass additional operations notspecifically illustrated or described.

In the process illustrated in FIG. 7 , and in accordance with one ormore aspects of the present disclosure, controller 110 may generate aresource graph that models resource and event dependencies (701). Forexample, with reference to FIG. 1 and FIG. 2 , user interface 206 ofcontroller 110 detects input and outputs information about the input touser interface module 208. User interface module 208 outputs theinformation to management module 212. Configuration module 222 ofmanagement module 212 determines that the input corresponds toconfiguration information, perhaps entered by an administrator, relatingto network, such as network 102 of FIG. 1 . In some examples, theconfiguration information may be received in the form of programminginformation or programming code describing attributes of network 102.Configuration module 222 may generate one or more models based on theconfiguration information. Such models may detail resource dependencieswithin network 102 and/or detail event dependencies within network 102.Configuration module 222 stores the models in model database 216.

Controller 110 may detect a first event affecting a first resource ofthe plurality of resources (702). For example, network interface 204 ofcontroller 110 detects input and outputs information about the input tocontroller 110. Controller 110 outputs information about the input todiagnosis service 224. Diagnosis service 224 determines that the inputcorresponds to an indication and/or notification that one or moreresources within network 102 has experienced or is experiencing anoperational event. Diagnosis service 224 further determines that theinput indicates that one or more aspects of element 114B of network 102has failed.

Controller 110 may identify a second resource that is expected to beaffected by the first event (703). For example, diagnosis service 224queries model database 216 for information about resource dependenciesand event dependencies associated with element 114B. Diagnosis service224 determines, based on information from model database 216, thatelement 114A and element 114C have a resource dependency with element114B. Diagnosis service 224 further determines that element 114A has anevent dependency with element 114B, but that element 114C does not havean event dependency with element 114B. Diagnosis service 224 generatesone or more logical events for element 114A. Diagnosis service 224 usesthe logical events to determine that element 114A is expected to beaffected by the failure of element 114B.

For processes, apparatuses, and other examples or illustrationsdescribed herein, including in any flowcharts or flow diagrams, certainoperations, acts, steps, or events included in any of the techniquesdescribed herein can be performed in a different sequence, may be added,merged, or left out altogether (e.g., not all described acts or eventsare necessary for the practice of the techniques). Moreover, in certainexamples, operations, acts, steps, or events may be performedconcurrently, e.g., through multi-threaded processing, interruptprocessing, or multiple processors, rather than sequentially. Furthercertain operations, acts, steps, or events may be performedautomatically even if not specifically identified as being performedautomatically. Also, certain operations, acts, steps, or eventsdescribed as being performed automatically may be alternatively notperformed automatically, but rather, such operations, acts, steps, orevents may be, in some examples, performed in response to input oranother event.

For ease of illustration, only a limited number of devices (are shownwithin the Figures and/or in other illustrations referenced herein.However, techniques in accordance with one or more aspects of thepresent disclosure may be performed with many more of such systems,components, devices, modules, and/or other items, and collectivereferences to such systems, components, devices, modules, and/or otheritems may represent any number of such systems, components, devices,modules, and/or other items.

The Figures included herein each illustrate at least one exampleimplementation of an aspect of this disclosure. The scope of thisdisclosure is not, however, limited to such implementations.Accordingly, other example or alternative implementations of systems,methods or techniques described herein, beyond those illustrated in theFigures, may be appropriate in other instances. Such implementations mayinclude a subset of the devices and/or components included in theFigures and/or may include additional devices and/or components notshown in the Figures.

The detailed description set forth above is intended as a description ofvarious configurations and is not intended to represent the onlyconfigurations in which the concepts described herein may be practiced.The detailed description includes specific details for the purpose ofproviding a sufficient understanding of the various concepts. However,these concepts may be practiced without these specific details. In someinstances, well-known structures and components are shown in blockdiagram form in the referenced figures in order to avoid obscuring suchconcepts.

Accordingly, although one or more implementations of various systems,devices, and/or components may be described with reference to specificFigures, such systems, devices, and/or components may be implemented ina number of different ways. For instance, one or more devicesillustrated herein as separate devices may alternatively be implementedas a single device; one or more components illustrated as separatecomponents may alternatively be implemented as a single component. Also,in some examples, one or more devices illustrated in the Figures hereinas a single device may alternatively be implemented as multiple devices;one or more components illustrated as a single component mayalternatively be implemented as multiple components. Each of suchmultiple devices and/or components may be directly coupled via wired orwireless communication and/or remotely coupled via one or more networks.Also, one or more devices or components that may be illustrated invarious Figures herein may alternatively be implemented as part ofanother device or component not shown in such Figures. In this and otherways, some of the functions described herein may be performed viadistributed processing by two or more devices or components.

Further, certain operations, techniques, features, and/or functions maybe described herein as being performed by specific components, devices,and/or modules. In other examples, such operations, techniques,features, and/or functions may be performed by different components,devices, or modules. Accordingly, some operations, techniques, features,and/or functions that may be described herein as being attributed to oneor more components, devices, or modules may, in other examples, beattributed to other components, devices, and/or modules, even if notspecifically described herein in such a manner.

Although specific advantages have been identified in connection withdescriptions of some examples, various other examples may include some,none, or all of the enumerated advantages. Other advantages, technicalor otherwise, may become apparent to one of ordinary skill in the artfrom the present disclosure. Further, although specific examples havebeen disclosed herein, aspects of this disclosure may be implementedusing any number of techniques, whether currently known or not, andaccordingly, the present disclosure is not limited to the examplesspecifically described and/or illustrated in this disclosure.

In one or more examples, the functions described may be implemented inhardware, software, firmware, or any combination thereof. If implementedin software, the functions may be stored, as one or more instructions orcode, on and/or transmitted over a computer-readable medium and executedby a hardware-based processing unit. Computer-readable media may includecomputer-readable storage media, which corresponds to a tangible mediumsuch as data storage media, or communication media including any mediumthat facilitates transfer of a computer program from one place toanother (e.g., pursuant to a communication protocol). In this manner,computer-readable media generally may correspond to (1) tangiblecomputer-readable storage media, which is non-transitory or (2) acommunication medium such as a signal or carrier wave. Data storagemedia may be any available media that can be accessed by one or morecomputers or one or more processors to retrieve instructions, codeand/or data structures for implementation of the techniques described inthis disclosure. A computer program product may include acomputer-readable medium.

By way of example, and not limitation, such computer-readable storagemedia can include RAM, ROM, EEPROM, optical disk storage, magnetic diskstorage, or other magnetic storage devices, flash memory, or any othermedium that can be used to store desired program code in the form ofinstructions or data structures and that can be accessed by a computer.Also, any connection is properly termed a computer-readable medium. Forexample, if instructions are transmitted from a website, server, orother remote source using a coaxial cable, fiber optic cable, twistedpair, or wireless technologies such as infrared, radio, and microwave,then the coaxial cable, fiber optic cable, twisted pair, or wirelesstechnologies such as infrared, radio, and microwave are included in thedefinition of medium. It should be understood, however, thatcomputer-readable storage media and data storage media do not includeconnections, carrier waves, signals, or other transient media, but areinstead directed to non-transient, tangible storage media. Combinationsof the above could also be included within the scope ofcomputer-readable media.

Instructions may be executed by one or more processors, such as one ormore digital signal processors (DSPs), general purpose microprocessors,application specific integrated circuits (ASICs), field programmablelogic arrays (FPGAs), or other equivalent integrated or discrete logiccircuitry. Accordingly, the terms “processor” or “processing circuitry”as used herein may each refer to any of the foregoing structure or anyother structure suitable for implementation of the techniques described.In addition, in some examples, the functionality described may beprovided within dedicated hardware and/or software modules. Also, thetechniques could be fully implemented in one or more circuits or logicelements.

The techniques of this disclosure may be implemented in a wide varietyof devices or apparatuses, including a wireless handset, a mobile ornon-mobile computing device, a wearable or non-wearable computingdevice, an integrated circuit (IC) or a set of ICs (e.g., a chip set).Various components, modules, or units are described in this disclosureto emphasize functional aspects of devices configured to perform thedisclosed techniques, but do not necessarily require realization bydifferent hardware units. Rather, as described above, various units maybe combined in a hardware unit or provided by a collection ofinteroperating hardware units, including one or more processors asdescribed above, in conjunction with suitable software and/or firmware.

What is claimed is:
 1. A system comprising processing circuitry and astorage device, wherein the processing circuitry has access to thestorage device and is configured to: detect a first network eventaffecting a first resource of a plurality of resources on a network;generate, based on dependencies among the plurality of resources, alogical event associated with a second resource, wherein the secondresource is expected to be affected by the first network event; detect,after generating the logical event associated with the second resource,a second network event affecting the second resource; refrain fromprocessing the second network event, wherein to refrain from processingthe second network event, the processing circuitry is further configuredto merge the second network event into the logical event associated withthe second resource; and prior to detecting the second network event,process the logical event associated with the second resource.
 2. Thesystem of claim 1, wherein to refrain from processing the second networkevent, the processing circuitry is configured to: avoid duplicativeprocessing associated with processing the second network event.
 3. Thesystem of claim 1, wherein to generate the logical event associated withthe second resource, the processing circuitry is further configured to:generate a resource graph that models dependencies between the pluralityof resources on the network.
 4. The system of claim 3, wherein togenerate the resource graph, the processing circuitry is furtherconfigured to: generate the resource graph based on event dependenciesamong the plurality of resources.
 5. The system of claim 4, wherein togenerate the resource graph, the processing circuitry is furtherconfigured to: generate the resource graph further based on resourcedependencies among the plurality of resources.
 6. The system of claim 3,wherein to generate the logical event associated with the secondresource, the processing circuitry is further configured to: apply theresource graph to generate a plurality of inference rules with respectto the plurality of resources modeled by the resource graph.
 7. Thesystem of claim 3, wherein to generate the resource graph, theprocessing circuitry is further configured to: receive programminginput; and generate the resource graph based on the programming input.8. The system of claim 3, wherein to generate the resource graph, theprocessing circuitry is further configured to: apply temporalconstraints to each of the dependencies modeled by the resource graph.9. The system of claim 1, wherein to generate the logical eventassociated with the second resource, the processing circuitry is furtherconfigured to: determine that the second resource has both resource andevent dependencies on the first resource.
 10. The system of claim 1,wherein to generate the logical event associated with the secondresource, the processing circuitry is further configured to: perform aforward chaining analysis to identify the second resource.
 11. A systemcomprising processing circuitry and a storage device, wherein theprocessing circuitry has access to the storage device and is configuredto: detect a first network event affecting a first resource of aplurality of resources on a network; generate, based on dependenciesamong the plurality of resources, a logical event associated with asecond resource, wherein the second resource is expected to be affectedby the first network event; detect, after generating the logical eventassociated with the second resource, a second network event affectingthe second resource; refrain from processing the second network event;generate, based on dependencies among the plurality of resources, alogical event associated with a third resource, wherein the thirdresource is expected to be affected by the first network event; detect,before generating the logical event associated with the third resource,a third network event affecting the third resource; and refrain fromprocessing the logical event associated with the third resource.
 12. Thesystem of claim 11, wherein to refrain from processing the logical eventassociated with the third resource, the processing circuitry is furtherconfigured to: merge the logical event associated with the thirdresource into the third network event.
 13. The system of claim 12,wherein the processing circuitry is further configured to: prior togenerating the logical event associated with the third resource, processthe third network event.
 14. The system of claim 12, wherein to refrainfrom processing the logical event associated with the third resource,the processing circuitry is configured to: avoid duplicative processingassociated with processing the logical event associated with the thirdresource.
 15. A method comprising: detecting, by a control system, afirst network event affecting a first resource of a plurality ofresources on a network; generating, by the control system and based ondependencies among the plurality of resources, a logical eventassociated with a second resource, wherein the second resource isexpected to be affected by the first network event; detecting, by thecontrol system and after generating the logical event associated withthe second resource, a second network event affecting the secondresource; refraining, by the control system, from processing the secondnetwork event, wherein refraining from processing the second networkevent includes merging the second network event into the logical eventassociated with the second resource; and prior to detecting the secondnetwork event, processing the logical event associated with the secondresource.
 16. The method of claim 15, further comprising: generating, bythe control system and based on dependencies among the plurality ofresources, a logical event associated with a third resource, wherein thethird resource is expected to be affected by the first network event;detecting, by the control system and before generating the logical eventassociated with the third resource, a third network event affecting thethird resource; and refraining, by the control system, from processingthe logical event associated with the third resource.
 17. The method ofclaim 16, wherein refraining from processing the logical eventassociated with the third resource includes: merging the logical eventassociated with the third resource into the third network event.
 18. Anon-transitory computer-readable storage medium comprising instructionsthat, when executed, configure processing circuitry of a computingsystem to: detect a first network event affecting a first resource of aplurality of resources on a network; generate, based on dependenciesamong the plurality of resources, a logical event associated with asecond resource, wherein the second resource is expected to be affectedby the first network event; detect, after generating the logical eventassociated with the second resource, a second network event affectingthe second resource; refrain from processing merge the second networkevent; merge the second network event into the logical event associatedwith the second resource; and prior to detecting the second networkevent, process the logical event associated with the second resource.